Heading 1

Download

Cyber In security News

TM

AUGUST 2018
INTERVIEW:
CHRIS COLVIN / IN THE HOUSE
SUBSCRIBE FOR FREE
CREATING AN IN-HOUSE FORUM ON CYBERSECURITY
In The House aims to help its members emerge as leaders in the field.
Chris Colvin completed a cybersecurity certificate course at Harvard University this year. It wasn’t because he intended to change jobs. He already had his hands full as the founder and general counsel of the membership organization In The House. He also runs related businesses, is a lawyer for several companies and maintains an IP practice. So what was his motivation? “I’m a general counsel to several small companies,” he says. “I think there are certain issues that every general counsel needs to understand and be up to speed on. And I view cybersecurity as one of those.”  
  Colvin recently decided to launch working groups on various topics for his members, and one of them is on cybersecurity. We at CyberInsecurity agreed to co-chair that working group, which will launch with a video chat on the morning of August 9. We sat down with Colvin, using the video chat that has become one of his preferred methods of networking, to ask how he got here—and where he expects the group to go.
How much do lawyers need to know about this subject, and how much is the province of tech? And where are the boundaries?
CyberInsecurity: When did you decide to start a Cybersecurity Working Group at In The House, and why?
Chris Colvin: I thought it was difficult, in the existing environment, for in-house counsel with a particular interest to easily find colleagues who shared that interest, in order to exchange information and best practices. So this was part of a larger movement to create specialty working groups. You might consider them the rough equivalent of a bar association committee. But I wanted to use the term “working group” to emphasize the fact that we’re really rolling up our sleeves and trying to grapple with some of the most important issues facing in-house counsel. Our working groups started early this year in the conceptual phase, and each of them is moving forward as we bring on board chair people and guest speakers and seek sponsors. The cybersecurity group was one that I viewed as extremely important. It was one reason I took the cybersecurity course from Harvard—not only to be a better GC, but to give me more ideas for that group.

CI: What do you hope the group accomplishes?
CC: I have two goals. First, I’d like it to become the go-to destination for in-house counsel who care deeply about cybersecurity, and want to figure out how they can best serve their internal clients and also work best with their technical colleagues. The second is to groom thought leadership on this topic within the in-house community. And this is a common thread that I’ve seen with a lot of issues for in-house counsel. It’s hard to find out who are the most knowledgeable people in this area when it comes to in-house counsel. It’s easier to make those kinds of decisions when you’re looking at technical professionals, because there are professional groups that certify cybersecurity professionals. But we don’t have that within the in-house community.
  Traditionally, we’re sort of a low-key community. We don’t like to make a lot of noise about what we’re working on. We care about our clients’ confidentiality, and we tend to let our work speak for itself rather than tooting our own horn. But an unintended consequence of this reticence is that it’s really hard to find other in-house lawyers who care about this issue, and even more difficult to find the emerging thought leaders who can talk intelligently about the many questions we’re grappling with. For instance: If you’re an in-house lawyer, what do you need to know? How do you most effectively advise your management team? How do you work in lockstep with the technical professionals at your company to make sure you are staying on top of trends?

CI: Why did you ask us to co-chair the working group?
CC: Well, first I like your name. I'm joking, but “CyberInsecurity” is a clever name, and it also captures the fundamental instability that we have in this area. I like the name for that reason even more than that it's a clever name. Cybersecurity is one of those areas where, if you're smug or comfortable, you're doing something wrong. So I like your approach. And I also like to work with fleet-footed partners, because in the legal industry we're part of a profession that traditionally looked backward, looked at precedent and analyzed. And we need to figure out a way to be more forward-looking, because we're in a faster-moving environment than we've ever been in before. And I thought that working with a publication like CyberInsecurity would be a great way to help our members stay on top of those trends and spur discussions.

CI: You have a graphic that shows five areas where you have concerns about the way, in your view, in-house attorneys have been underserved. Three of the areas are the education that lawyers receive; the media that is tailored to them; and the technology that's curated for them. Cybersecurity would seem to loom large in all three, and that’s 60 percent of your agenda. Is that what makes this subject such a big deal these days?
CC: Cybersecurity cuts across many of the issues in which we feel that in-house counsel have traditionally been underserved. And I guess I would say that, to my mind, the reason that cybersecurity cuts across so many of these issues is the same reason that it’s infiltrating every aspect of our lives, whether we're an in-house lawyer or we have some other professional niche. Partly because we've become so dependent on technology, and probably because we all carry these supercomputers around in our pockets, we can't ignore cybersecurity. One reason I think lawyers are well-suited to play a role in addressing the issues is that our jobs require us to become expert risk managers. That's one of the core skill sets that in-house counsel must develop to succeed.

CI: Who can join the Cybersecurity Working Group? And how do they go about it? 
CC: That really goes to our membership philosophy. We have a different approach—I would contrast us with traditional bar associations. We've made a business decision to reach out to people throughout the legal community and indeed the larger business community. So literally anyone can join In The House, as long as you care deeply about in-house counsel and believe in our mission, which is all about empowering in-house counsel. If you're going to join our community, it’s really important that you're willing to contribute to meaningful discussions and understand that our focus is 100 percent on helping in-house counsel succeed. If you want to join the Cybersecurity Working Group, you just need to join In The House. Dues are pretty minimal. Full-time in-house counsel pay $8.95 a month to join. If you're a part-time in-house lawyer, dues are $9.95 a month. And for others who want to support our mission and participate in our discussions, an affiliate membership is $12.95 a month. That’s coffee and doughnut money. We want In The House membership to be a no-brainer for people who care about our community.

CI: You have working groups, live networking events and video networking events. How do these pieces fit together?
CC: Videoconferencing has really evolved over the last couple of years. It's become a technology that's almost universally available and works quite well. If you think about what networking is and how you build a personal network, everything you can do by gathering in a conference center, or some other physical location, you can do effectively by video. So I've come to view technology as a wonderful tool that we can use to bring people together very affordably.
  I also view video as a twofold technology when it comes to our community. It’s a great tool for exchanging information in casual networking sessions. People can be wherever they need to be geographically and can easily share information. But video is also a great tool for leadership development, which is core to our mission. One of our initiatives is that we're partnering with a company to create broadcast-quality video profiles of in-house thought leaders—a project that is getting underway as we speak. These are videos that will convey knowledge to other members, but also help our community members become leaders within this community. I believe that this technology can be transformative and empowering for in-house counsel.

CI: Where are your conferences? I don’t see any announcements about them.
CC: That’s another thing that we're doing different. We don't believe in waiting for a big annual conference to share information with our members. In today’s environment, a conference is like waiting for the packet boat to arrive from England. That's how people used to get their mail in the days of the old Royal Navy, and it was the fastest communication technology of the time. But why would we wait for the big annual conference on cybersecurity to exchange information with our peers? That doesn't make sense. It's too late, and it’s not the most efficient mechanism for knowledge sharing. We believe in video networking and online forums for exchanging information on a regular basis. Those are our workaday tools for establishing and sharing best practices. We still believe in personal get-togethers, because we're human beings, and they’re a great way to get to know our peers. But in-person get-togethers are best when they are more social in nature. That's a better use of our face-to-face time than having a bunch of talking head presentations, with most of the people sitting silently in the audience.
  The concept of getting in-house counsel out of the audience and into the conversation actually goes back to the very beginning of In The House. The idea  first came to me because I had attended countless meetings for in-house counsel where the information conveyed was OK. There was nothing wrong with it. But by far the best session was the post-meeting networking over cocktails or over lunch. I realized that was what people really came for. So our goal was: Let's go straight to what people care about, which is networking, helping each other, being active participants in the conversation rather than spectators.

CI: One of the issues that our publication keeps returning to is the relationship between companies under attack and the government. Friends, enemies, frenemies? What is that relationship? When should companies cooperate with the government, when should they report breaches, when should they ask for help? And when should they worry about finding themselves in the crosshairs of regulators, or pressured to turn over customer information? Are these issues that your members worry about?
CC: Yeah, absolutely. It would be hard to be alive and have a pulse and not be concerned about those issues. In this day and age, how we as in-house counsel engage with the government or other private companies can vary, depending on the time and circumstances. It's very situational. One thing that lawyers are good at, fortunately, is playing multiple roles. We're pretty good at saying, “Maybe I can cooperate with this person in one context but be their opponent in another.” We need to be flexible.  
  But cybersecurity is also an area where there are clear good guys and bad guys. There are a lot of professional hackers out there who are very talented and are in it for either political purposes or financial purposes, and we need to band together, all professionals of good faith, to fight those folks. But individually, we also have our clients that we need to serve, and those two jobs will sometimes go hand in hand, but sometimes they won't. Sometimes we need to oppose government action, if we have a good legal basis for it and it's the appropriate action to take on behalf of our clients. But at other times we can and should cooperate with government.
  So I don't think there's one answer to your question. And that's one of the reasons we're starting this group: to talk about these things. Let's have an informal board of advisers to call when you have questions about new situations. And when it comes to cybersecurity, most of the situations are new. Sometimes within our own companies we want to seem like we have all the answers. Lawyers in particular want to be seen as the people with the answers. And sometimes that's the best way to present ourselves professionally. But that doesn't mean we can't call a friend at another company and say, “Hey, I'm dealing with this unusual situation. I’m not sure what to do here. Have you guys dealt with that, or do you know someone who has?” Everybody can benefit from that kind of information sharing, especially in a shifting environment like cybersecurity.

CI: What are some of the other aspects of cybersecurity that worry in-house lawyers?
CC: One area that is very confusing is education. That's one reason I took the Harvard course. What do I need to know as an in-house lawyer? It's a little easier to understand if you're the tech person sitting in the tech command center of your company. But if I'm a lawyer who might deal primarily with employment issues or litigation issues, what is the cybersecurity knowledge base that I need? What is my company expecting? What should they expect? It's sort of a free-floating anxiety in the legal community right now. A related anxiety is: Where are the boundaries? What can I safely leave to the tech people, and what do I need to know so that I can be a better partner and adviser to them? Because—spoiler alert!—the tech folks don't always have all the answers. Sometimes they need guidance from Legal to do things in a way that best serves the company. A good example that’s very current is the General Data Protection Regulation that went into effect in Europe. I'm not an expert in this area, but I know enough to say that if your company touches EU citizens in any way, you’d better know a little bit about the GDPR. And the tech folks may be up on that, or they may be aware of some checklists, but if your company’s management is not getting good legal advice along with the tech advice, there may be missteps. So where's the boundary, and how do you work together with your peers in tech?

CI: We in the media have a tendency to dwell on the dangers, the risks, the threats, the bad news. Do you see evidence of progress and reasons to be optimistic about the future in this area?
CC: I'm sort of an optimist by nature. For me it's easier to navigate through the world as an optimist, because I like to focus on the positive developments in many areas. We have to hope for the best and plan for the worst, as the old saying goes. But I do think that lawyers are becoming more aware of cybersecurity. It's an acknowledged area of expertise now, and the lawyers that I speak with, whether they're in-house or outside lawyers, see the rising cybersecurity challenges as more than just a professional opportunity to make money or to burnish their credentials. I think they understand that experienced lawyers have a real skill set that can be applied to these issues. A lot of lawyers can be calm in a crisis. We're able to be objective. It’s an area where laws and rules and regulations do matter. And lawyers are a necessary part of this conversation. I'm very optimistic that not only will the good guys be able to keep up with the bad guys, but in-house lawyers will be among those good guys helping to fight the good fight.


For an attorney, cybersecurity seems to be a subject that’s difficult to ignore.